OpenStack Dashboard (Horizon)

  1. Bug #1453074
  2. Comment #0

Comment 0 for bug 1453074

Revision history for this message
Nikita Konovalov (nkonovalov) wrote : help_text parameter of fields is vulnerable to arbitrary html injection

The Field class help_text attribute is vulnerable to code injection if the text is somehow taken from the user input.

Heat UI allows to create stacks from the user input which define parameters. Those parameters are then converted to the input field which are vulnerable.

The heat stack example exploit:

description: Does not matter
heat_template_version: '2013-05-23'
outputs: {}
parameters:
  param1:
    type: string
    label: normal_label
    description: hack="><script>alert('YOUR HORIZON IS PWNED')</script>"
resources: {}